Quote:The notorious FIN7 cybercrime gang, a financially motivated group, is spreading a backdoor called Lizar under the guise of being a Windows pen-testing tool for ethical hackers.
 
According to the BI.ZONE Cyber Threats Research Team, FIN7 is pretending to be a legitimate organization that hawks a security-analysis tool. They go to great lengths for verisimilitude, researchers said: “These groups hire employees who are not even aware that they are working with real malware or that their employer is a real criminal group.”
 
Since 2015, FIN7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Since 2020, it has also added ransomware/data exfiltration attacks to its mix, carefully selecting targets according to revenue using the ZoomInfo service, researchers noted.
 
Its choice of malware is always evolving, including occasionally using never-before-seen samples that surprise researchers. But its go-to toolkit has been Carbanak remote-access trojan (RAT), which previous analysis shows is highly complex and sophisticated compared with its peers: It’s basically a Cadillac in a sea of golf carts. Carbanak is typically used for reconnaissance and establishing a foothold on networks.
 
Lately, though, BI.ZONE researchers have noticed the group using a new type of backdoor, called Lizar. The latest version has been in use since February, and it offers a powerful set of data retrieval and lateral movement capabilities, according to an analysis published on Thursday.
 
“Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.”
 
Victims so far have included attacks on a gambling establishment, several educational institutions and pharmaceutical companies in the U.S., along with an IT company headquartered in Germany and a financial institution in Panama.